vfGuard: Strict Protection for Virtual Function Calls in COTS C plus plus Binaries

Control-Flow Integrity (CFI) is an important security property that needs to be enforced to prevent control-flow hijacking attacks. Recent attacks have demonstrated that existing CFI protections for COTS binaries are too permissive, and vulnerable to sophisticated code reusing attacks. Accounting for control flow restrictions imposed at higher levels of semantics is key to increasing CFI precision. In this paper, we aim to provide more stringent protection for virtual function calls in COTS C++ binaries by recovering C++ level semantics. To achieve this goal, we recover C++ semantics, including VTables and virtual callsites. With the extracted C++ semantics, we construct a sound CFI policy and further improve the policy precision by devising two filters, namely "Nested Call Filter" and "Calling Convention Filter". We implement a prototype system called vfGuard, and evaluate its accuracy, precision, effectiveness, coverage and performance overhead against a test set including complex C++ binary modules used by Internet Explorer. Our experiments show a runtime overhead of 18.3% per module. On SpiderMonkey, an open-source JavaScript engine used by Firefox, vfGuard generated 199 call targets per virtual callsite - within the same order of magnitude as those generated from a source code based solution. The policies constructed by vfGuard are sound and of higher precision when compared to state-of-the-art binary-only CFI solutions.